SENTINEL
You woke up this morning, checked your Supabase dashboard, and saw something
terrifying: 500+ new users joined your app overnight. For a split second, you celebrated growth.
Then you saw the emails: bot823@temp-mail.com, xy_99@mailbox.org,
admin_123@proton.me.
You've been hit by automated bot signups. If you're building on Next.js and Vercel, this isn't just a database clutter problem; it's an infrastructure liability. These fake accounts can trigger expensive webhooks, drain your Auth quotas, and poison your email reputation.
But you hate CAPTCHAs. You don't want to force your real human users to identify fire hydrants just to try your SaaS. Here is how to stop the flood without damaging your conversion rate.
The Vulnerability: Why Supabase is a Target
Supabase makes Auth incredibly easy, but by default, its signUp() method is a
public-facing endpoint. Bots use headless browsers (Puppeteer, Playwright) to hit your
/api/auth/signup route or directly communicate with the Supabase GoTrue server.
Common solutions like "honey-pots" or simple rate limits are easily bypassed by modern rotated proxies. This is why you need deterministic trust analysis.
Step 1: Move Auth to a Server Action or API Route
Never call supabase.auth.signUp() directly from the client. To implement real security,
you need to gate the request on the server (Next.js Server Actions or Route Handlers). This allows
you to perform an invisible trust check before Supabase ever sees the request.
// Example: Next.js Server Action with Sentinel
"use server"
import { sentinel } from "@/lib/sentinel";
export async function handleSignup(formData: FormData) {
const ip = headers().get("x-forwarded-for");
// 1. Silent Trust Check
const { allow, reason } = await sentinel.check(ip, {
profile: "signup"
});
if (!allow) {
console.warn(`Blocked bot signup attempt: ${reason}`);
throw new Error("Security verification failed.");
}
// 2. Proceed with Supabase Auth
const { data, error } = await supabase.auth.signUp({ ... });
}Step 2: Use "Turnstile for APIs" (The Sentinel Way)
The best CAPTCHA alternative for Vercel apps is one that works silently. Instead of showing a puzzle, Sentinel analyzes the Infrastructure DNA of the request in under 50ms.
By checking if the request is coming from a known residential ISP versus a suspicious datacenter (like AWS or DigitalOcean), Sentinel can block 92% of fake signups before they hit your database. This is how you maintain a clean Supabase Auth table without a single "Select all boats" puzzle.
Why Legacy CAPTCHAs Fail on Next.js
Legacy systems like reCAPTCHA add massive JavaScript bundles to your app, slowing down your LCP (Largest Contentful Paint) and hurting your SEO. More importantly, they often fail for VPN users or people on shared IPs in regions like India, leading to endless CAPTCHA loops.
Sentinel is designed to be decoupled. It doesn't rely on massive client-side scripts. It's a pure Intelligence API that fits perfectly into the Next.js Middleware or Server Action lifecycle.
Conclusion: Reclaim Your SaaS Runway
Every fake user is a "Ghost Traffic Tax" on your business. Stop paying for compute and storage that doesn't belong to real people. By switching to a behavioral trust layer, you can keep your Supabase metrics pure and your Next.js app blazing fast.
Ready to secure your Auth flow? Get your Sentinel API key and stop bot signups in under 5 minutes.